The data protection legislation in both Guernsey and Jersey prescribe offences of knowingly or recklessly obtaining or disclosing personal data (or the information contained within it) without the consent of the relevant controller. These mirror the offences set out in the UK’s Data Protection Act 2018.

It should be emphasised that a person acting in this manner commits a criminal offence (subject to proving any available defence). This is not a case of civil liability and hoping to rely on professional indemnity insurance to cover the costs of the error. On conviction for this particular offence, perpetrators in Jersey face the imposition of a fine, and those in Guernsey risk a combination of a fine and/or prison sentence of up to two years. Furthermore, where that individual is working in the financial services industry, theft of personal data is likely to be viewed seriously by the GFSC and JFSC when it comes to assessing whether an individual should be regarded as fit and proper.

Nevertheless, it seems that the threat of criminal sanction has not proved to be a sufficient deterrent to certain disgruntled or overly curious employees. Two very recent UK cases (dealt with under the previous regime of the Data Protection Act 1998), resulted in the imposition of fines on employees who unlawfully accessed patient medical records and the personal data of customers of a car dealership.

In Guernsey, February 2019 saw the acquittal of a hospital employee facing prosecution for unlawfully accessing patient records without proper justification, and judicial criticism that the employer did not, apparently, have in place a suitably accessible data protection policy at the relevant time. Whilst the new data protection regimes in both the UK and Guernsey will no doubt have led to changes and improvements in the approaches of the businesses or departments concerned, the actions of employees (whether “rogue” or inadvertent) remain one of the main sources of concern for boards.

Unfortunately for businesses, the ramifications of deliberate breaches by employees do not stop at the point of individual criminal sanction for the perpetrator.

A stark warning lies in the well-publicised case involving the deliberate circulation of employees’ payroll data by a disgruntled internal auditor of the Morrisons supermarket chain. The Court of Appeal in the UK upheld the High Court’s finding that, notwithstanding that the perpetrator’s actions were deliberate and intended to cause harm to Morrisons, the employer was vicariously liable for those actions (and the compensation sought by the employees).

It will be of concern to businesses that the deliberate act of a disgruntled employee can result in the employer shouldering loss claimed by the ultimate victims of the data breach. On policy grounds, it is understandable that the rights of the data subjects are best protected by way of civil redress against a financially stable (and usually insured) business. Whilst the sight of individual perpetrators being prosecuted may bring short term satisfaction for those impacted, there is often no effective redress or compensation available.

All is not lost – businesses can minimise their risk, in the following ways:

1. Regular staff training on data protection policy, including updates and refresher training, ensuring that staff understand and acknowledge their individual obligations and those of the business. Culture is key.

2. Pessimistic security measures limiting access to personal data to staff that require it for a specific and legitimate purpose.

3. Monitoring staff access to personal data held by the business so as to detect any unusual patterns of access or extraction.

4. Regular reviews of personal data inventories held by the business so as to ensure compliance with restrictions on time limits for its retention.

If properly implemented and maintained, the above measures will assist a business to reduce the risk of accidental or deliberate conduct by staff that could result in civil or criminal liabilities. Building a culture of security and trust within an organisation and with customers is vital to maintaining success in today’s digital economy.

Share
Twitter LinkedIn Email Save as PDF
More Publications
7 Dec 2021 |

Notaries, E-Apostilles and Technological Changes

Notaries form the oldest branch of the legal profession. Their origins can be traced back to the Ro...

25 Nov 2021 |

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

5 Oct 2021 |

Notaries: Are Simple Certifications a Thing Anymore?

Notaries are primarily concerned with the authentication and certification of signatures, authority ...

30 Jul 2021 |

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021 |

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...

4 May 2021 |

New Private Investment Funds in Guernsey

In December 2020, the Guernsey Financial Services Commission (Commission) published a consultation p...

16 Mar 2021 |

Guernsey Structures - The Cannabis Investment Conundrum

Jurisdictions around the world have adopted different positions in relation to the legality of the c...

Contributors: Oratile Jonas
12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...